Audit Policies and Subcategories

Published: February 27, 2008

An Audit policy determines which security events to report to administrators to establish a record of user or system activity based on specified event categories. Administrators can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment.

However, before you implement an Audit policy you must investigate which event categories to audit in your environment. The audit settings you choose within the event categories define your Audit policy. Then an administrator can create an Audit policy to meet the security needs of your organization.

If you do not configure audit settings, it will be difficult or impossible to determine what took place during a security incident. However, if you configure audit settings so that too many authorized activities generate events, the Security event log will fill up with too much data. The information in the following sections of this appendix is designed to help you decide what to monitor to facilitate the collection of relevant audit data for your organization.

Windows Server® 2008 includes the same nine Audit policy categories that are present in earlier versions of Windows:

System

Logon/Logoff

Object Access

Privilege Use

Detailed Tracking

Policy Change

Account Management

Directory Service Access

Account Logon

However, Windows Server 2008 allows you to manage Audit policy in a more precise way by including 50 Audit policy subcategories. Although not all subcategories apply to Windows Server 2008–based computers, you can configure many of them to record specific events that provide valuable information.

In the past, you could easily configure any of the nine audit categories using Group Policy. Although the same method is possible with Windows Server 2008, you cannot individually configure the new audit subcategories using the Group Policy Management Console (GPMC) because the subcategories are not exposed in the GPMC. If you enable any of the audit category settings in Windows Server 2008 that are present in the GPMC, this action also enables subcategory settings related to each category. For this reason, enabling Audit policy settings by category will likely cause excessive audit logging that will quickly fill up your event logs.

Microsoft recommends to configure only necessary audit subcategory settings using a command-line tool included in Windows Server 2008 called AuditPol.exe.

Using a command-line tool to implement prescribed Audit policy settings across many computers is difficult. However, Microsoft has developed a solution for configuring audit subcategories using Group Policy. The scripts and Group Policy objects (GPOs) included with the security guide and appendix for this solution automatically implement these settings for you.

When you run the GPOAccelerator as described in Chapter 1, "Implementing a Security Baseline" of the security guide, the script automatically copies the following member server and domain controller files to the NETLOGON share of one of your domain controllers.

For the EC environment:

EC-WSSGAuditPolicy-MS.cmd

EC-WSSGApplyAuditPolicy-MS.cmd

EC-WSSGAuditPolicy-MS.txt

EC-WSSGAuditPolicy-DC.cmd

EC-WSSGApplyAuditPolicy-DC.cmd

EC-WSSGAuditPolicy-DC.txt

For the SSLF environment:

SSLF-WSSGAuditPolicy-MS.cmd

SSLF-WSSGApplyAuditPolicy-MS.cmd

SSLF-WSSGAuditPolicy-MS.txt

SSLF-WSSGAuditPolicy-DC.cmd

SSLF-WSSGApplyAuditPolicy-DC.cmd

SSLF-WSSGAuditPolicy-DC.txt

These files will then automatically replicate to the NETLOGON share of the domain controllers in your domain that uses Active Directory® Domain Services (AD DS). The specific GPOs that the GPOAccelerator creates include a computer startup script that runs these files to configure the prescribed Audit policy settings. The first time these files run on a computer, a scheduled task named WSSGAudit is created. This task will run every hour to help ensure that the Audit policy settings are up to date.

The following tables summarize the Audit policy setting recommendations for servers in the two types of secure environments discussed in the Windows Server 2008 Security Guide. Review these recommendations and adjust them as appropriate for your organization. Information about how to modify and remove the Audit policy settings that the GPOs configure appears after the Audit policy setting tables.

Note Microsoft recommends taking extra caution in using Audit settings that can generate large volumes of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategory settings, the high volume of audit events these settings generate will make it difficult to find other types of entries in the Security event log. Such a configuration could also have a significant negative affect on performance

The following sections provide a brief description of each Audit policy. The tables in each section include recommendations for domain controllers in the two types of secure environments discussed in this guide.

System

The System audit category in Windows Server 2008 allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system.

The System audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Table A24. System Audit Policy Subcategory Recommendations

Audit policy subcategory

EC domain controller

SSLF domain controller

EC member server

SSLF member server

§ Security System Extension

Success and Failure

Success and Failure

Success and Failure

Success and Failure

§ System Integrity

Success and Failure

Success and Failure

Success and Failure

Success and Failure

§ IPsec Driver

Success and Failure

Success and Failure

Success and Failure

Success and Failure

§ Other System Events

No auditing

No auditing

No auditing

No auditing

§ Security State Change

Success and Failure

Success and Failure

Success and Failure

Success and Failure

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

Logon/Logoff

The Logon/Logoff audit category in Windows Server 2008 generates events that record the creation and destruction of logon sessions. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource.

If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which users have accessed or attempted to access your organization's computers.

The Logon/Logoff events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Table A25. Logon/Logoff Audit Policy Subcategory Recommendations

Audit policy subcategory

EC domain controller

SSLF domain controller

EC member server

SSLF member server

§ Logon

Success

Success and Failure

Success

Success and Failure

§ Logoff

Success

Success

Success

Success

§ Account Lockout

Note No events map to this category.

No auditing

No auditing

No auditing

No auditing

§ IPsec Main Mode

No auditing

No auditing

No auditing

No auditing

§ IPsec Quick Mode

No auditing

No auditing

No auditing

No auditing

§ IPsec Extended Mode

No auditing

No auditing

No auditing

No auditing

§ Special Logon

Success

Success

Success

Success

§ Other Logon/Logoff Events

No auditing

No auditing

No auditing

No auditing

§ Network Policy Server

No auditing

No auditing

No auditing

No auditing

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

Object Access

By itself, the Object Access audit category in Windows Server 2008 will not audit any events. Settings in this category determine whether to audit when a user accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL), which effectively enables auditing to occur.

Access control entries (ACEs) comprise a SACL. Each ACE contains three pieces of information:

If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user fails an attempt to access an object with a specified SACL.

Organizations should define only the actions that they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed.

The Object Access events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Table A26. Object Access Audit Policy Subcategory Recommendations

Audit policy subcategory

EC domain controller

SSLF domain controller

EC member server

SSLF member server

§ File System

No auditing

Failure

No auditing

Failure

§ Registry

No auditing

Failure

No auditing

Failure

§ Kernel Object

No auditing

No auditing

No auditing

No auditing

§ SAM

No auditing

No auditing

No auditing

No auditing

§ Certification Services

No auditing

No auditing

No auditing

No auditing

§ Application Generated

No auditing

No auditing

No auditing

No auditing

§ Handle Manipulation

No auditing

No auditing

No auditing

No auditing

§ File Share

No auditing

No auditing

No auditing

No auditing

§ Filtering Platform Packet Drop

No auditing

No auditing

No auditing

No auditing

§ Filtering Platform Connection

No auditing

No auditing

No auditing

No auditing

§ Other Object Access Events

No auditing

No auditing

No auditing

No auditing

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

Configuring and Testing Object Access Audit Rules

The following procedures describe how to configure audit rules on a file or folder, and how to test each audit rule for each object in the specified file or folder.

Note You must use Auditpol.exe to configure the File System subcategory to audit Success and Failure events. Then you can use the following procedure to log events in the Security event log.

To define an audit rule for a file or folder

Use Windows Explorer to locate the file or folder and then click it.

On the File menu, click Properties.

Click the Security tab, and then click the Advanced button.

Click the Auditing tab.

If prompted for administrative credentials, click Continue, type your username and password, and then press ENTER.

Click the Add button to make the Select User, Computer, or Group dialog box display.

Click the Object Types button, and then in the Object Types dialog box, select the object types you want to find.

Click the Locations button, and then in the Location dialog box, select either your domain or local computer.

In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and then click OK.

The Auditing Entry dialog box displays.

Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.

Note Remember that each object access may generate multiple events in the event log and cause it to grow rapidly.

In the Auditing Entry dialog box, next to List Folder/Read Data, select Successful and Failed, and then click OK.

You can view the audit entries you enabled under the Auditing tab of the Advanced Security Settings dialog box.

Click OK to close the Properties dialog box.

To test an audit rule for a file or folder

Open the file or folder.

Close the file or folder.

Start the Event Viewer. Several Object Access events with Event ID 4663 will appear in the Security event log.

Double-click the events as needed to view their details.

Privilege Use

The Privilege Use audit category in Windows Server 2008 determines whether to audit each instance of a user exercising a user right. If you configure these setting values to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure these settings values to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. These policy settings can generate a very large number of event records.

The Privilege Use events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Table A27. Privilege Use Audit Policy Subcategory Recommendations

Audit policy subcategory

EC domain controller

SSLF domain controller

EC member server

SSLF member server

§ Sensitive Privilege Use

No auditing

Success and Failure

No auditing

Success and Failure

§ Non Sensitive Privilege Use

No auditing

No auditing

No auditing

No auditing

§ Other Privilege Use Events

No auditing

No auditing

No auditing

No auditing

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

Detailed Tracking

The Detailed Tracking audit category in Windows Server 2008 determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically set to No Auditing. However, this setting can provide a great benefit during an incident response from information in the log about when processes started and when they were launched.

The Detailed Tracking events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Table A28. Detailed Tracking Audit Policy Subcategory Recommendations

Audit policy subcategory

EC domain controller

SSLF domain controller

EC member server

SSLF member server

§ Process Termination

No auditing

No auditing

No auditing

No auditing

§ DPAPI Activity

No auditing

No auditing

No auditing

No auditing

§ RPC Events

No auditing

No auditing

No auditing

No auditing

§ Process Creation

Success

Success

Success

Success

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

Policy Change

The Policy Change audit category in Windows Server 2008 determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, if an attacker were to attempt to turn off auditing, that change itself would be recorded.

The Policy Change events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Table A29. Policy Change Audit Policy subcategory Recommendations

Audit policy subcategory

EC domain controller

SSLF domain controller

EC member server

SSLF member server

§ Audit Policy Change

Success and Failure

Success and Failure

Success and Failure

Success and Failure

§ Authentication Policy Change

Success

Success

Success

Success

§ Authorization Policy Change

No auditing

No auditing

No auditing

No auditing

§ MPSSVC Rule-Level Policy Change

No auditing

No auditing

No auditing

No auditing

§ Filtering Platform Policy Change

No auditing

No auditing

No auditing

No auditing

§ Other Policy Change Events

No auditing

No auditing

No auditing

No auditing

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

Account Management

The Account Management audit category in Windows Server 2008 helps you track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.

The Account Management events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

Directory Service Access

The Directory Service Access audit category in Windows Server 2008 applies only to domain controllers. For this reason, the Directory Service Access audit category and all related subcategories are configured to No Auditing for member servers in both environments discussed in the security guide.

The Directory Service Access events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

Account Logon

The Account Logon audit category in Windows Server 2008 generates events for credential validation. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on.

The Account Logon events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

Table A32. Account Logon Audit Policy Subcategory Recommendations

Audit policy subcategory

EC domain controller

SSLF domain controller

EC member server

SSLF member server

§ Kerberos Authentication Service

No auditing

No auditing

No auditing

No auditing

§ Credential Validation

Success

Success and Failure

Success

Success and Failure

§ Kerberos Service Ticket Operations

No auditing

No auditing

No auditing

No auditing

§ Other Account Logon Events

Note No events map to this category.

No auditing

No auditing

No auditing

No auditing

Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

To modify the audit policy subcategories and settings configured by the GPOs for this security guide requires you to use Auditpol.exe to modify the configuration of one computer in your environment, and then generate a file that contains the audit policy settings for your environment. The computer GPOs for this security guide can then apply the modified audit policy to computers in your environment.

To modify your audit policy configuration

Log on as a domain administrator to a computer running Windows Vista or Windows Server 2008 that is joined to the domain using Active Directory in which you will create the GPOs.

On the desktop, click the Start button, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

If the User Account Control dialog appears, verify the operation is what you requested, and click Continue.

Clear the current audit policy settings by typing the following line at the command prompt, and then press ENTER:

Copy the new EC-AuditPolicy-MS.txt and EC-WSSGAuditPolicy-DC.txt (or SSLF-AuditPolicy-MS.txt and SSLF-AuditPolicy-DC.txt) files to the NETLOGON share of one of the domain controllers in your environment, and overwrite the existing version of the files.

The computer GPOs included with this guide will use the new EC-AuditPolicy-MS.txt and EC-WSSGAuditPolicy-DC.txt files (or SSLF-AuditPolicy-MS.txt and SSLF-AuditPolicy-DC.txt files) to modify and configure the audit policy settings on your computers.

As previously discussed, the solution implemented by the GPOs included with this guide for configuring the Audit policy subcategories creates the WSSGAudit scheduled task on all computers in your environment. If you remove the GPOs that accompany this security guide from your environment, you also might want to delete the scheduled task. The scheduled task should not affect the performance of computers running Windows Server 2008, even if you remove the GPOs included with this guide from the computers in your environment.

To delete the WSSGAudit scheduled task from the computers in your environment

Depending on your environment type, delete the following six files from the NETLOGON share of one of the domain controllers in your environment:

For the EC environment:

EC-WSSGAuditPolicy-MS.cmd

EC-WSSGApplyAuditPolicy-MS.cmd

EC-WSSGAuditPolicy-MS.txt

EC-WSSGAuditPolicy-DC.cmd

EC-WSSGApplyAuditPolicy-DC.cmd

EC-WSSGAuditPolicy-DC.txt

For the SSLF environment:

SSLF-WSSGAuditPolicy-MS.cmd

SSLF-WSSGApplyAuditPolicy-MS.cmd

SSLF-WSSGAuditPolicy-MS.txt

SSLF-WSSGAuditPolicy-DC.cmd

SSLF-WSSGApplyAuditPolicy-DC.cmd

SSLF-WSSGAuditPolicy-DC.txt

Create an empty text file, name it DeleteWSSGAudit.txt, and copy it to the NETLOGON share of one of the domain controllers in your environment. The text file will automatically replicate to all domain controllers in your environment.

The WSSGAudit scheduled task checks for the DeleteWSSGAudit.txt file every time it runs, and when it finds the file, the WSSGAudit scheduled task deletes itself. Since the WSSGAudit scheduled task is configured to run every hour, it should not take long before the task is deleted from all of the computers in your environment.